On the following page, select the newly-created Provider and click the link at the top that asks you to create the appropriate IAM role. This role will define the permissions that the authenticated user will have once inside of AWS.

Create IAM role

On the next page, select “Create New Role”, then choose a name for the role and click “Next Step.”

Name the new IAM role

On the “Select Role Type” screen, click the bubble next to “Role for Identity Provider Access,” then find the option “Grant Web Single Sign-On (WebSSO) access to SAML providers” and click “Select.” On the next screen, click “Next Step.”

Grant access to the SSO provider

Click “Next Step” on the “Verify Role Trust” screen.

The next step is to set up the actual permissions users in this role will have. You will need to select the policy that is appropriate for your users and company. Click “Select” next to your choice, and then on the next page choose “Next Step.”

You will then be taken to the “Review” screen, where you can verify your choices and select “Create Role.”

The final step is to copy the Role ARN and Provider ARN from AWS and insert them into the appropriate fields in Bitium. On the left-hand AWS menu, select the Role you just created, and copy the “Role ARN” at the top of the next page. Go back to Bitium and paste it into the corresponding field from Part 1, Step 3 above.

Copy and paste the ARN data into appropriate fields

Select “Identity Providers” on the left-hand menu, select “Bitium” (or whatever you named it in Step 3, above) and copy the “Provider ARN”. Paste it into the corresponding field in Bitium just like you did with the Role ARN.

In Bitium:

Go back to the Single Sign-On tab for AWS, confirm that you have pasted in all of the correct information from the steps above, and click the “Save Changes” button.